The longstanding Swiss Federal Act on Data Protection of 1992 will be replaced with new legislation to better protect Swiss citizens’ data (revFADP). The revFADP will improve the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive laws, such as the General Data Protection Regulation (GDPR).
This change also introduces various increased obligations for companies doing business in Switzerland. Furthermore, while the revised legislation has many similarities to the GDPR, there are stark difference companies must be aware of.
The most important aspects companies must be aware of include:
– No compliance grace period: the revFADP takes effect on September 1, 2023 and there is no grace period for companies to become compliant.
– Expanded definition of sensitive data: the definition of sensitive personal data will be expanded to include genetic and biometric data that unequivocally identifies a natural person. The explicit consent of the data subject is required when processing sensitive personal data.
– Emphasized important of an “Independent” DPO: the Swiss Federal Data Protection and Information Commission (FDPIC) strongly emphasizes the importance of an independent DPO. Thus, the DPO’s activities should remain separate from other business activities of the company. Furthermore, it has been recommended that the DPOs speak at least one of the languages of Switzerland, for instance, French, German, Italian, Romansh.
– Breach Notice for Serious Attacks only and no clear notice timeframe: under the revFADP, the controller must notify the FDPIC of certain serious personal data breaches ‘as soon as possible.’ Furthermore, notice of breaches should only be made if they pose an ‘imminent danger’ to data subjects.
– Penalties: civil penalties will not be imposed by the revFADP but intentional violations can result in criminal sanctions of up to 250,000 Swiss Francs against individuals, which could potentially include DPOs and C-Suite Executives instead of the entity.
It is expected that the FDPIC will issue updates and guidance on the revFADP. These updates and guidance will continue to be monitored.
Does your company do business in Switzerland? Contact us, the Experts in Data Privacy at firstname.lastname@example.org, to ensure your company is compliant with the changes the revFADP will introduce.